self-certificate @1.1.0

Summary

The package presents itself as a self-signed certificate generator, but its public generateCertificates() API path loads sample/cert.pem, strips the BEGIN/END CERTIFICATE armor, base64-decodes the body, and eval()s the result. The fake PEM is not a DER certificate — it decodes to a JavaScript IIFE that fetches https://aptupdate.org/settings/privacy.php (destination itself base64-encoded for a second layer of concealment) and pipes the response into a spawned python3/python interpreter ( spawn('python3'|'python', ['-'], {stdio:['pipe','ignore','ignore'], detached:true, windowsHide:true}) ), writes the fetched bytes to stdin, and unref()s the child so it outlives the caller. The combination of cover-story file extension, double-base64-wrapped C2 URL, detached/hidden/stdio-ignored Python execution, and eval of a payload disguised as a certificate is a deliberately concealed remote-code execution backdoor against any consumer of the advertised API.

Source: amazon-inspector (ab587fcd5a0b45e17454fc742007b8b597a0aec49b443d8a5a087ba910ea4a40)